• Lotus Panda hits unnamed

    From Mike Powell@1:2320/105 to All on Wed Apr 23 08:53:00 2025
    Lotus Panda hits unnamed government with bespoke hacking tools and malware

    Date:
    Tue, 22 Apr 2025 16:00:00 +0000

    Description:
    The infamous Chinese group used brand new tools to hit multiple victims in Southeast Asia

    FULL STORY ======================================================================
    - The group struck government, air control, and telco firms in Southeast Asia
    - Victims were not named
    - Lotus Panda used never-before-seen infostealers and loaders

    Lotus Panda, a Chinese state-sponsored threat actor, managed to compromise multiple organizations in a number of Southeast-Asian countries, in a
    campaign that took place between mid-2024 and early 2025.

    Cybersecurity researchers from the Symantec Threat Hunter Team said the organizations included government agencies, air traffic control
    organizations, telecom operators, and a construction company in one country,
    a news agency in another, and an air freight organization in another. The victim countries, or organizations, were not named.

    In the attack, the group used never-before-seen malware , loaders, credential stealers, and reverse SSH tools.

    Chinese cyber-spies

    Lotus Panda allegedly abused legitimate executables from antivirus companies Trend Micro and Bitdefender, using them to sideload malicious DLL files which dropped and decrypted second-stage payloads. The threat actor also allegedly updated Sagerunex, a group-exclusive tool that can steal sensitive
    information and exfiltrate it, encrypted, to a third-party server. We dont
    know how the group made the initial breach, though.

    Other notable tools used in this campaign are infostealers ChromeKatz and CredentialKatz.

    "The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to
    services that were exposed internally," Symantec said. "Another legitimate
    tool used was called 'datechanger.exe.' It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts.

    Lotus Panda is a known state-sponsored group, sometimes reported as Billbug, Lotus Blossom, Thrip, Spring Dragon, and Bronze Elgin. The group has
    allegedly been active since 2009, and is focused primarily on
    cyber-espionage. Its usual targets are government agencies, defense organizations, telcos and the media in Southeast Asia.

    There were also reports of Lotus Panda attacks in the United States and Australia, too, which could suggest that the group is looking to expand its reach.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/lotus-panda-hits-unnamed-government-wit h-bespoke-hacking-tools-and-malware

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)